Over Half of DoD Suppliers Fail With Their Governance Control

CMMC 2.0 Governance Crisis: Data Shows 62% of Defense Contractors Lack Critical Controls for Certification Success

Defense contractors pursuing CMMC 2.0 Level 2 certification face a stark reality check: 62% operate without the comprehensive governance controls that correlate with certification success. This finding emerges from Kiteworks’ 2025 analysis of 104 organizations actively pursuing CMMC 2.0, part of a broader survey examining 461 organizations’ data security and compliance practices worldwide. Report: Over Half of DoD Suppliers Fail With Their Governance Controls.

The governance deficit creates cascading vulnerabilities throughout defense supply chains. Organizations tracking effectiveness metrics show markedly better security outcomes—only 19% fall into low-encryption categories compared to 25% among those operating without measurement discipline. For contractors handling sensitive data, these gaps represent significant operational and compliance risks.

What the Data Reveals About CMMC 2.0 Readiness

Among 104 defense contractors pursuing CMMC 2.0 Level 2 certification, patterns emerge that should concern every organization in the defense industrial base. The survey data, collected in April 2025, reveals fundamental disconnects between security investments and governance maturity.

Only 38% of CMMC-pursuing organizations have instituted comprehensive governance control and tracking systems, slightly below the 40% rate across all industries surveyed. This 2-percentage-point disadvantage becomes critical when combined with other governance deficiencies, creating compound risks for certification success. The measurement discipline gap proves even more telling—organizations implementing any form of effectiveness measurement achieve demonstrably better results. Within the CMMC cohort, 19% of organizations tracking metrics fall into low-encryption categories (≤50% coverage) compared to 25% of non-measuring organizations, while 95% of CMMC organizations track some metrics versus 93% across all industries.

Perhaps most concerning, only 22% of CMMC organizations embed security requirements in supplier contracts, compared to 27% across all surveyed organizations. This 5-percentage-point gap represents a fundamental weakness in supply chain security—particularly critical given CMMC’s flow-down requirements for data protection throughout the defense industrial base.

Key Takeaways

  1. Mid-market organizations lead CMMC encryption success through governance-first strategies

    Mid-market organizations (5,000-9,999 employees) achieve the highest CMMC encryption success at 59%. Their governance-first approach—prioritizing policy updates and compliance budgets over pure technical controls—outperforms both smaller firms (52%) and large enterprises (38%). This suggests optimal CMMC outcomes come from balanced governance investment rather than organizational scale or resources.

  2. Measurement discipline drives significant improvement in security outcomes

    Measurement discipline creates a 6-percentage-point improvement in security outcomes. Organizations tracking effectiveness metrics show only 19% low-encryption rates compared to 25% for those without measurement systems. This performance gap represents thousands of potential vulnerabilities across defense supply chains and directly impacts certification readiness.

  3. Contractual supplier security requirements remain a critical CMMC governance gap

    Only 22% of CMMC organizations embed contractual security requirements with suppliers. This 5-percentage-point deficit compared to the 27% industry average represents the most critical and addressable governance gap. Without contractual frameworks, the 48% conducting supplier audits cannot ensure compliance throughout their supply chains.

  4. North American organizations dominate CMMC pursuit, creating both advantages and risks

    North American organizations dominate CMMC pursuit at 62% versus 32% in the general survey. This near-doubling of representation reflects intense U.S. defense industrial base pressure while suggesting international suppliers may be underestimating their obligations. The geographic concentration creates both competitive advantages and systemic risks for domestic contractors.

  5. Internal measurement discipline is essential for successful external consultant engagement

    External consultants provide no measurable advantage without internal measurement discipline. Organizations using partners achieve similar outcomes to those going solo when both maintain measurement systems (45-46% top-tier encryption). The data indicates expertise without governance frameworks fails to improve outcomes, making internal discipline the prerequisite for successful partner engagement.

Geographic Concentration and Size Dynamics

The geographic distribution reveals intense pressure within the U.S. defense industrial base, with 62% of CMMC respondents operating in North America versus just 32% in the general survey. Asia-Pacific regions contribute 20% of CMMC respondents, while Europe represents 11% and Middle East/Africa accounts for 7%. This concentration suggests international suppliers may be underestimating their CMMC obligations or are less advanced in preparation efforts.

Organization size correlates strongly with security outcomes, though not in expected ways. Mid-market organizations (5,000-9,999 employees) demonstrate the strongest performance, with 59% achieving top-tier encryption coverage (76-100%). This surpasses both smaller organizations under 5,000 employees (52%) and significantly outperforms large enterprises with over 20,000 employees (38%). The paradox suggests that success stems from governance discipline rather than resources or scale.

Mid-market organizations’ approach differs markedly from their peers. While 36% prioritize policy and data protection agreement updates (tied with increased compliance budgets), smaller organizations focus heavily on new technical controls (37%), and the largest enterprises similarly emphasize technology solutions (38%). This governance-first approach among mid-market firms correlates directly with their superior outcomes.

Regulatory Evolution and Vendor Compliance Dominate Challenges

Survey respondents ranked challenges using a weighted scoring system, revealing two concerns that tower above all others. “Keeping up with evolving regulations” earned a score of 78 points, with 23% ranking it as their primary challenge and 38% placing it among their top two concerns. CMMC organizations prioritize this challenge 6 percentage points more than the general population, reflecting the dynamic nature of defense compliance requirements.

Close behind, “vendor compliance and risk” scored 73 points, with 18% ranking it as their primary challenge and 38% placing it in their top two concerns. Notably, 39% of CMMC organizations cite vendor compliance among their top three challenges versus 32% across all industries—a 7-percentage-point gap that underscores the unique supply chain pressures in defense contracting.

These regulatory and supply chain challenges significantly outweigh other concerns. “Balancing compliance versus data access” scores 59 points, while “employee training and awareness” registers 42 points. Budget constraints barely register at 5 points, suggesting resources exist but governance frameworks to deploy them effectively do not. This pattern holds across organization sizes, with vendor compliance ranking as the most persistent operational challenge regardless of scale.

Vendor Risk Management Gap

The vendor compliance challenge deserves deeper examination given its prominence across all organization sizes and its critical role in CMMC success. Current vendor risk controls among CMMC organizations show mixed maturity. While 48% conduct regular supplier audits (versus 44% overall) and 38% use third-party risk management tools (versus 37% overall), critical gaps remain.

Only 28% of CMMC organizations perform formal third-party risk assessments, marginally above the 25% industry average. Most concerning, just 22% embed contractual security requirements—5 percentage points below the 27% industry standard. This contractual gap proves particularly troubling given CMMC’s mandatory flow-down requirements for data protection throughout supply chains. Without contractual obligations, organizations cannot ensure suppliers maintain required security controls or properly handle sensitive defense information.

The implications cascade through defense supply chains. Organizations managing hundreds or thousands of suppliers face exponential complexity when contractual frameworks don’t exist to enforce standards. The 39% citing vendor compliance as a top challenge likely underestimate the full scope of their exposure, particularly given that many don’t know their complete supplier ecosystem.

Strategic Implementation Patterns Reveal Success Factors

Small and mid-size organizations under 5,000 employees predominantly focus on technical solutions, with 37% prioritizing new technical controls. Secondary actions include updated policies and data protection agreements (33%) and enhanced third-party risk management (28%). Their challenges mirror broader patterns: vendor compliance affects 41%, balancing access versus requirements concerns 39%, and evolving regulations trouble 37%. With 52% achieving top-tier encryption, these organizations demonstrate moderate success despite resource constraints.

Mid-market organizations between 5,000 and 9,999 employees show markedly different approaches and outcomes. Equal numbers (36%) prioritize policy updates and increased compliance budgets, while 32% enhance third-party risk management. Their challenges intensify—46% struggle with vendor compliance and 41% cite overlapping regulations. Yet this governance-focused approach yields the highest success rate, with 59% achieving top-tier encryption coverage.

Large enterprises exceeding 20,000 employees face complexity challenges despite substantial resources. New technical controls dominate their approach (38%), followed by increased budgets (33%) and policy updates (24%). Vendor compliance remains problematic for 38%, while finding regulated data and managing evolving regulations each concern 33%. Despite their resources, only 38% achieve top-tier encryption—the lowest rate across all segments. This paradox reinforces that organizational scale without governance discipline creates more vulnerabilities rather than fewer.

Partner Paradox and Measurement Imperative

One of the survey’s most counterintuitive findings concerns external consultants. Organizations using partners show no inherent advantage over those pursuing certification independently when both maintain measurement discipline. Among organizations with measurement systems, both partnered and solo approaches yield similar results—approximately 45-46% achieve top-tier encryption with low-encryption rates around 19-20%. However, organizations that neither measure nor partner show significantly worse outcomes, with 30% falling into low-encryption categories.

This pattern suggests successful CMMC programs treat partners as amplifiers of internal discipline rather than substitutes for governance maturity. The data indicates that expertise without measurement yields minimal improvement, while measurement without external expertise still drives positive outcomes. For defense contractors considering consultant engagement, the lesson is clear: establish measurement frameworks first, then leverage external expertise to accelerate progress within that framework.

Building Governance Foundations for CMMC Success

Based on survey findings, defense contractors should focus on five interconnected priorities that address the most critical gaps. First and most urgently, organizations must close the contractual security gap. With only 22% embedding security requirements in contracts—5 percentage points below industry average—this represents the most addressable weakness. Every supplier relationship requires explicit data protection requirements, flow-down obligation language, audit rights, and breach notification protocols.

Second, comprehensive measurement systems prove essential for success. The 6-percentage-point improvement in security outcomes for measuring organizations demands establishment of key performance indicators for each control family, automated metric collection where feasible, regular governance reviews, and trend tracking rather than snapshot assessments. Organizations already tracking some metrics should expand coverage and formalize review processes.

Third, vendor risk management must extend beyond basic audits. While 48% conduct supplier audits (above the 44% average), comprehensive vendor governance requires systematic risk assessments, technology platform deployment, continuous monitoring capabilities, and regular reassessment cycles. The 46% of mid-market organizations struggling with vendor compliance demonstrates that even successful segments face ongoing challenges in this area.

Fourth, organizations must align strategy with their size and capabilities. Mid-market success patterns—59% achieving top-tier encryption through governance-first approaches—provide a replicable model. Balance governance investments with technical controls, prioritize policy and process development alongside technology deployment, and resist the enterprise tendency to solve governance problems through technology alone.

Finally, when engaging external partners, treat them as governance enablers rather than turnkey solutions. Require establishment of measurement frameworks, demand knowledge transfer alongside implementation, maintain internal ownership of governance processes, and measure partner effectiveness through improved metrics rather than activity completion.

Path Forward for Defense Contractors

The implications extend beyond individual contractor success to the entire defense industrial base. With 62% of CMMC-pursuing organizations lacking comprehensive governance controls, systemic vulnerabilities persist throughout defense supply chains. Evolving regulations scoring 78 points as a challenge will only intensify as threats evolve and requirements expand. Vendor compliance issues scoring 73 points cascade through supply chain tiers, creating compound risks. Organizations with mature governance gain sustainable competitive advantages, while those failing certification face market consolidation pressures.

Success patterns exist across all organization sizes and sectors. Mid-market firms achieving 59% top-tier encryption through governance-first approaches demonstrate what’s possible with proper prioritization. Even resource-constrained smaller organizations succeed when focusing on measurement discipline and contractual rigor over pure technology investments. The encouraging sign: CMMC organizations already exceed industry averages in effectiveness tracking (95% versus 93%), supplier audits (48% versus 44%), and risk assessments (28% versus 25%). What’s missing is the contractual discipline and comprehensive governance to transform these activities into consistent security outcomes.

Conclusion: Governance as the Foundation for CMMC Success

The data tells an unambiguous story: CMMC 2.0 success depends more on governance maturity than technical sophistication or organizational resources. With nearly two-thirds of defense contractors operating without comprehensive governance controls, the path to certification requires fundamental changes in approach rather than incremental improvements.

Organizations that measure consistently, embed requirements contractually, and scale approaches appropriately achieve demonstrably better outcomes. The 6-percentage-point difference in low-encryption rates between measuring and non-measuring organizations represents thousands of potential vulnerabilities across the defense industrial base. For every organization struggling with the 25% low-encryption rate, another with proper governance achieves the 19% rate—a meaningful difference when multiplied across the entire defense supply chain.

For defense contractors, governance isn’t bureaucracy—it’s the foundation that makes every other investment effective. Organizations building this foundation today position themselves not just for certification but for sustainable competitive advantage in an increasingly security-conscious defense market. The patterns are proven through empirical analysis of 104 CMMC-pursuing organizations. The gaps are clearly identified through comparative analysis against 461 total respondents. The question remaining is whether your organization will join the successful 38% with mature governance or remain among the 62% hoping technical controls alone will suffice.

With CMMC 2.0 Level 2 requirements advancing and defense contracts increasingly contingent on certification, the window for building proper governance foundations continues to narrow. The data shows what works, what doesn’t, and why. The rest depends on organizational commitment to transforming these insights into action.

This analysis is based on Kiteworks’ 2025 Data Security and Compliance Risk: Annual Survey Report. It focuses on 104 organizations actively pursuing CMMC 2.0 Level 2 certification, part of a broader survey of 461 organizations conducted in April 2025.

Frequently Asked Questions

The Kiteworks 2025 survey of 104 organizations pursuing CMMC 2.0 Level 2 certification found that 62% lack comprehensive governance controls. Only 38% have instituted governance control and tracking systems, which is slightly below the 40% rate across all industries. This governance deficit directly correlates with poorer security outcomes, as organizations without measurement discipline show 25% low-encryption rates compared to just 19% for those tracking effectiveness metrics.

Mid-market organizations with 5,000-9,999 employees demonstrate the highest success rate, with 59% achieving top-tier encryption coverage (76-100%). This surpasses smaller organizations under 5,000 employees (52%) and significantly outperforms large enterprises with over 20,000 employees (38%). The key differentiator is approach—mid-market firms prioritize policy updates and governance (36%) rather than focusing primarily on technical controls like their larger and smaller counterparts.

According to the weighted scoring system used in the survey, “keeping up with evolving regulations” ranks first with 78 points, followed closely by “vendor compliance and risk” at 73 points. Notably, 39% of CMMC organizations cite vendor compliance among their top three challenges compared to 32% across all industries, highlighting the unique supply chain pressures in defense contracting. Budget constraints barely register at 5 points, suggesting resources exist but governance frameworks do not.

The survey data reveals a counterintuitive finding: organizations using external consultants show no inherent advantage over those pursuing certification independently when both maintain measurement discipline. Among organizations with measurement systems, partnered and solo approaches yield similar top-tier encryption rates (45-46%). The critical factor is measurement discipline—organizations that neither measure nor use partners show the worst outcomes, with 30% falling into low-encryption categories.

The most addressable governance weakness is contractual security requirements, with only 22% of CMMC organizations embedding these in supplier contracts compared to 27% across all industries. This 5-percentage-point gap is particularly concerning given CMMC’s mandatory flow-down requirements. While 48% conduct regular supplier audits (above the 44% average), without contractual frameworks, organizations cannot ensure suppliers maintain required security controls or properly handle sensitive defense information.

Additional Resources

Get started.

It’s easy to start ensuring regulatory compliance and effectively managing risk with Kiteworks. Join the thousands of organizations who are confident in how they exchange private data between people, machines, and systems. Get started today.

Table of Content
Share
Tweet
Share
Explore Kiteworks